Get Your Copy.
The Countermeasure is delivered to your inbox each Saturday, giving you insights on enterprise security developments you may have missed.
Do Androids Dream of Safe Apps?
In This Issue:
- Google Play: Home to Hundreds of Unsafe Antivirus Products
- Online Voting Riddled With Security Problems
- Another Industrial Hack
- Phone numbers for ID verification = ?
- Scholar Says Cybersecurity ‘Not Important’
Google Play: Home to Hundreds of Unsafe Antivirus Products
AV Comparatives did a study of the effectiveness of 250 antivirus apps for Android. They found that only 80 of the products managed to detect more than 30% of common Android malware, and an even smaller number (23 apps) could detect 100% of attacks.
On some level this is unsurprising, but it gets a mention due to the completely absurd levels of incompetence described. Some of the apps studied were not performing a virus scan or anything similar. They were just checking the name of downloaded packages against a list of approved or disallowed apps. This meant that an attacker could simply rename a package to slip it past a user’s defences.
Graham Cluley writes that Google Play is flooded with hundreds of unsafe anti-virus products. Things get truly ridiculous when you read that "some anti-virus apps even managed to detect themselves as malicious – because their creators forgot to add their package names to the whitelist."
Countermeasure:
Countermeasure: The study is available here and contains a comprehensive naughty/nice list that you should check before purchasing a security product for Android. Cluley's article contains additional good advice.
Remember that antivirus apps can actually be malware in disguise. They can even use the name of a reputable antivirus vendor, and then game the reviews to make it look like their product is popular. Once you’ve chosen a security product for your Android device, download it from the vendor's website instead of from the Play store.
Further reading on Android and security: Android should let users deny and revoke apps' Internet permissions.
Online Voting Riddled With Security Problems
That electronic voting systems are horrifically insecure nightmare-tier harbingers of the apocalypse should no longer surprise us. Diligently reminding us of this, we have: Researchers Find Critical Backdoor in Swiss Online Voting System. For a little bit of extra commentary, this is worth a read: A critical flaw in Switzerland's e-voting system is a microcosm of everything wrong with e-voting, security practice, and auditing firms.
Let us not forget, of course, that the inevitable outcome of a hacked election is the election of Bender Bending Rodriguez: Hackers Elect Futurama’s Bender to the Washington DC School Board, though there is some hope for the future: DARPA Is Building a $10 Million, Open Source, Secure Voting System. Interestingly, they want to fix the problem in hardware, not in code.
Countermeasure:
The trials and tribulations of e-voting systems are instructive to any organization attempting to ensure the identity of strangers, and/or attempting to keep secure data originating from kiosks. E-voting issues are worth studying if only to learn how not to approach these problems, allowing your team to make entirely novel mistakes from which others can inevitably learn as well.
Another Industrial Hack
The LockerGoga malware has been all over the news lately. “Severe” ransomware attack cripples big aluminum producer is a great write up, but Hydro working hard to recover following ransomware attack and Ransomware or Wiper? LockerGoga Straddles the Line are also worth perusing.
LockerGoga straddles the line between ransomware and wiper. It is seen using ransomware-like encryption, but has also been seen logging users off of their systems after encrypting things, and not letting the user log back on. This means that many users don't even see the ransom note, and are thus unable to pay the ransom for their data.
Related Tweet: "I’m slightly confused by the LockerGoga business model." - Lesley Carhart (@hacks4pancakes)
Countermeasure:
Gone are the days where one could assume that if they got hit by ransomware, the ransom could simply be paid, and the data restored. Invest in backups, and do so now. If your data doesn't exist in at least two places, then it simply does not exist.
Phone Numbers For ID Verification = ?
Why Phone Numbers Stink As Identity Proof. Just as biometrics are not a replacement for passwords, phone numbers are not a replacement for any aspect of authentication. The idea is malodorous, and Krebs has an in-depth look at how we got to the ridiculously terrifying unfortunate point where far too many organizations use phone numbers for security purposes, and sometimes do not offer any other alternative.
Countermeasure:
Krebs suggests checking out the “What Can You Do?” section of Hanging Up on Mobile in the Name of Security. He also linked to this guide for anyone using Gsuite products who wants to turn off phone-number-based authentication: Disable SMS or voice codes for 2-Step Verification for more secure accounts.
Scholar Says Cybersecurity ‘Not Important’
Andrew Odlyzko, a professor in the University of Minnesota's School of Mathematics, wrote a paper called Cybersecurity is not very important.
From the abstract of that paper: "This 'chewing gum and baling wire' approach is likely to continue to be the basic method of handling problems that arise, and to provide adequate levels of security." Odlyzko's paper rambles enough that it’s difficult to extract his main argument. This quote probably comes closest:
"Why have there been no giant cybersecurity disasters? Why is the world in general doing as well as it is? Skeptics might object and point out to any number of ransomware, identity theft, and other cybercrime cases. But those have to be kept in perspective, as is argued in more detail later. There have been many far larger disasters of the non-cyber kind, such as 9/11, Hurricane Sandy, the Fukushima nuclear reactor meltdown, and the 2008 financial crash and ensuing Great Recession."
To paraphrase: nobody has died yet, so that's all right then. Cybersecurity can keep on with business as usual.
A similar (but more concise) view is offered by Daniel Miessler: Why Software Remains Insecure. But an important difference is that Miessler doesn't claim that the infosec status quo is just dandy until several thousand people shuffle off the mortal coil. Rather, he says that until people die, we’re unlikely to see much useful change in security practices.
Bruce Schneier's reaction to Odlyzko's paper was "while Internet security is terrible, it really doesn't affect people enough to make it an issue. This …is something I worry will change in a world of physically capable computers. Automation, autonomy, and physical agency will make computer security a matter of life and death, and not just a matter of data." Why Internet Security Is So Bad.
If Odlyzko's paper gets much attention, which it might after a mention on Schneier's blog, expect an eruption of Internet argument. Check out the comments on this article for a sample of what might be coming. An Argument that Cybersecurity Is Basically Okay. And the conversation is also happening on Peerlyst. Cybersecurity is not very important. You may wish to bring your lethally sharpened wit, a flak jacket, or a bag of popcorn, depending on how you like your debates.
If you want to wade into the argument, we present the following for your consideration:
Experts say there were similarities in the Ethiopian Airlines and the Lion Air crashes. What were they? To be clear, there is no evidence that the crashed plane was hacked, and the article is not trying to claim anything of the sort. The interesting bit is about a piece of automated flight software.
"The MCAS is a system that automatically lowers the nose of the plane when it receives information from its external angle of attack (AOA) sensors that the aircraft is flying too slowly or steeply, and at risk of stalling. The AOA sensors send information to the plane's computers about the angle of the plane's nose relative to the airflow over and under the wings to help determine whether the plane is about to stall.”
It’s unknown whether the software or sensors played any role in the disaster. But their mere presence on the airplane means that Schneier's prediction is worth some thought: "Automation, autonomy, and physical agency will make computer security a matter of life and death, and not just a matter of data."Insert Skimmer + Camera Cover PIN Stealer. A brief look (with photos) at a ATM card skimmer setup that uses the ATM’s own security camera to steal PINs.
Countermeasure:
How do you deal with cybersecurity skeptics? The response to Odlyzko's paper will probably provide a lot of different ways to argue that security is important. Rifle through the comments and pick a few good talking points to use the next time someone says, "but what's the big deal? It's just computers; it doesn't affect the real world." Our countermeasure newsletters have had stories just about every week about how cybersecurity affects the physical world in manufacturing, transportation, democratic elections, and medical devices.
Tweet of the Week:
I am doubling down on my "moving to the woods" plan.
"The new Porche 911 (992) has a 'wet mode' that engages when the roads are wet. How does it detect wet roads? CV? No. Moisture sensors? No. "Splash acoustics" Microphones are everywhere." - Charlie Kindel (@ckindel)
Videos of the Week
- A Guided Tour of the Data Facebook Uses to Target Ads <-- Facebook's announcement that it wants to focus on privacy has been in the news and The Countermeasure for the last two weeks. If you want to brush up on (some of) what data Facebook collects on users, this article is worth a read. If Facebook really wants to take privacy seriously, it seems they have a long way to go.
- Myspace has lost all the music users uploaded between 2003 and 2015 <-- Myspace oopsied what's left of their business not because of a hack, but because they chose not to back up their data. Have you tested your backups today? You should test your backups. Go test your backups.
- MY TAKE: Get ready to future-proof cybersecurity; the race is on to deliver ‘post-quantum crypto’
- Researchers fret over Netflix interactive TV traffic snooping
- Elsevier exposes users’ emails and passwords online <-- Don't store passwords in plain text. Just don't, okay?
- Hacked tornado warning systems leave Texans in the dark
Resource of the Week
- Surveillance Self-Defense. Described as "Tips, Tools and How-tos for Safer Online Communications."